AI-powered vendor risk evaluation using Box as the document store and LangChain Deep Agents as the reasoning engine.
Vendor documents (PDF, DOCX, etc.) are downloaded from a Box folder, extracted via Box AI, pre-processed into structured summaries, and fed to a deep agent with three parallel subagents (security, compliance, contract). Results are written back to Box as a Markdown report with metadata and a review task.
- Bun v1.0+
- Box account with admin access (to authorize a CCG app)
- Sign up: Free developer account
- OpenAI or Anthropic API key
1. Install dependencies
bun install2. Create a Box CCG app
In the Box Developer Console: New App → Custom App → Server Authentication (Client Credentials Grant). Copy the Client ID and Client Secret, then authorize the app in your enterprise Admin Console → Integrations → Platform Apps Manager.
3. Configure environment
cp .env.example .envThen fill in .env with your credentials.
4. Verify credentials
bun run whoami5. Upload sample vendor documents
bun run seed # upload sample docs to Box; prints folder IDsbun run analyze <box-folder-id>The report is uploaded to a Risk Reports/ subfolder inside the vendor folder. A shareable link is printed on completion.
Two fictional vendors are included in samples/:
| Vendor | Risk Profile | SOC 2 | Notable Issues |
|---|---|---|---|
| Acme Cloud Inc. | Medium | Type II, 0 exceptions | Minor training/access review observations |
| Globex Data Solutions | High | Type I, 3 exceptions | MFA gap, no DPA, unfavorable contract terms |
Box folder (vendor docs)
↓
ingest.ts — document classification
├── profile / soc2 / contract → Box AI Extract Structured
└── questionnaire → Box AI Ask (JSON prompt)
↓
processors → compact structured JSON summaries
↓
VfsSandbox (in-memory virtual filesystem)
↓
Deep Agent orchestrator
├── security-controls → /findings/security-controls.json
├── compliance-gaps → /findings/compliance-gaps.json
└── contract-risk → /findings/contract-risk.json
↓
risk-score.json → Markdown report → Box upload + metadata + task
The agent runs inside a VfsSandbox from @langchain/node-vfs — a lightweight, in-memory virtual filesystem that gives the Deep Agent an isolated workspace without requiring containers or any external services.
How it works:
- Structured JSON summaries extracted from vendor documents are pre-loaded as virtual files at paths like
/profile/company.json,/soc2/summary.json, etc. - The three subagents (security, compliance, contract) read from and write findings back to
/findings/*.json— all inside the sandbox. - When the agent run completes, findings are read out of the sandbox and assembled into the final risk report.
The sandbox is created with VfsSandbox.create(), which is the recommended approach — it combines construction and initialization into a single async call.
| Variable | Required | Description |
|---|---|---|
BOX_CLIENT_ID |
Yes | CCG app client ID |
BOX_CLIENT_SECRET |
Yes | CCG app client secret |
BOX_USER_ID |
One of | Your Box user ID (act as yourself) |
BOX_ENTERPRISE_ID |
One of | Enterprise ID (act as service account) |
OPENAI_API_KEY |
One of | OpenAI API key |
ANTHROPIC_API_KEY |
One of | Anthropic API key |